The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.

From Windows 2008 Domain Controller Security Technical Implementation Guide

Part of Task Scheduling - Server Operators

Associated with IA controls: ECSC-1

SV-28493r1_rule The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.

Vulnerability discussion

This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs (SYSTEM by default). Non administrators who can schedule AT commands, thus have a means to elevate their privileges. Although this setting is disabled, Server Operators will still be able to schedule jobs using Task Scheduler.

Check content

Fix text

Set the value for “Domain Controller: Allow server operators to schedule tasks” to “Disabled”. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\LSA\ Value Name: SubmitControl Value Type: REG_DWORD Value: 0

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer